Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 21:41

General

  • Target

    44c07ad4e0559d0f4c9884b8665243eef2772f2990328a82a2c40559ff88dea1.exe

  • Size

    7.1MB

  • MD5

    774542c18369a36cbb4281782fded87f

  • SHA1

    45292130f77e484bbaab72792890d9f61419bf82

  • SHA256

    44c07ad4e0559d0f4c9884b8665243eef2772f2990328a82a2c40559ff88dea1

  • SHA512

    693701ecd1a90887ce6b90827dcffdabb93f1594622e65bfcb9c8cc3642ca27dd82a4e43d95ee7150076d0dcfcb727edfdda1b85cb078230e02f1b5f14e9cf78

  • SSDEEP

    98304:gGOSnfbzz2d463IROME9bCOspSizzAukSFdhkq/Bc7iJc8Id59OLtk+e:CSj3C4GIIdCOs2hSFdhJ/aemHdIk

Malware Config

Signatures

  • Detect Neshta payload 4 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Neshta family
  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 13 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 13 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Power Settings 1 TTPs 4 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44c07ad4e0559d0f4c9884b8665243eef2772f2990328a82a2c40559ff88dea1.exe
    "C:\Users\Admin\AppData\Local\Temp\44c07ad4e0559d0f4c9884b8665243eef2772f2990328a82a2c40559ff88dea1.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Users\Admin\AppData\Local\Temp\dvm.exe
      "C:\Users\Admin\AppData\Local\Temp\dvm.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Users\Admin\AppData\Local\Temp\tempfile
        "C:\Users\Admin\AppData\Local\Temp\tempfile"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:316
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1644
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1728
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1648
        • C:\Windows\explorer.exe
          explorer.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1788
    • C:\Users\Admin\AppData\Local\Temp\SpyNote.exe
      "C:\Users\Admin\AppData\Local\Temp\SpyNote.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Users\Admin\AppData\Local\Temp\3582-490\SpyNote.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\SpyNote.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1480
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 624
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\SpyNote.exe

    Filesize

    420KB

    MD5

    01f79dab4df97b5571684298b663e4dd

    SHA1

    f9610961b141da9ac181ff4ed6fbe86fecee54f4

    SHA256

    64fe3f3104b628744ed9a6c6b8e6d780a310d9c2c7d5b9e13824bdfa17a25b8d

    SHA512

    b27ecdcf29d60feb25c6fa852fc214b0a742f07e63316185c987126282d114bd118259c421ad4938b16975108a317e9816fe457339fb030e8e6b9bf307d53b5f

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

  • \Users\Admin\AppData\Local\Temp\SpyNote.exe

    Filesize

    461KB

    MD5

    f0a348ebcfaccc589f4baf152dc6b3a6

    SHA1

    3952d9ba4404ec4e7732256b4d7c6abef0eb5643

    SHA256

    4dcaaf2ad32e6b01158a2c152f9aa457fb49ff1a99454ddc940448b24d8d81f1

    SHA512

    3c06151c98a3de3b10439176663a41b6816c75ac6600adb635e86051e8560a917061b28943a086ceb83fbbcf76b1416a9d19974b218ca340873160941ec25325

  • \Users\Admin\AppData\Local\Temp\dvm.exe

    Filesize

    6.6MB

    MD5

    5dfae2b96d8bc6790c29ec2ac85afe99

    SHA1

    db05a87beb16572c793142c9bc5e42e8cc37b063

    SHA256

    dfcfdb44cd6a19ca1a215dedd9b90962141d31369867983345e6550d2d750996

    SHA512

    88ca9fecbab0dad5fef042156e28523cd064227a68ef581843377dbc9af04883a39b970b5ffe5985c972df99e8e96c4b08f98c426c469764d666c8955c688b55

  • \Users\Admin\AppData\Local\Temp\tempfile

    Filesize

    2.5MB

    MD5

    00fc60282e801348211f9fad3d15f7ce

    SHA1

    8a4f8cb033ec7ccdbe2dcabf8c0883ee3c664b4c

    SHA256

    01861308d403364e53c1d18857a0e37025689517b4f5fafefd78f6a339c68813

    SHA512

    820e51518457b909aa527cc07746e612fea1c0b0a639837f8bcd7df53ee1a64ffda1c10092586129184433f6ea89d3ee3eab5a9938e80098e0776526097c9065

  • memory/1480-29-0x0000000001030000-0x000000000109E000-memory.dmp

    Filesize

    440KB

  • memory/1788-125-0x0000000140000000-0x0000000140835000-memory.dmp

    Filesize

    8.2MB

  • memory/1788-126-0x0000000140000000-0x0000000140835000-memory.dmp

    Filesize

    8.2MB

  • memory/1788-119-0x0000000140000000-0x0000000140835000-memory.dmp

    Filesize

    8.2MB

  • memory/1788-122-0x0000000140000000-0x0000000140835000-memory.dmp

    Filesize

    8.2MB

  • memory/1788-123-0x0000000140000000-0x0000000140835000-memory.dmp

    Filesize

    8.2MB

  • memory/1788-127-0x00000000001B0000-0x00000000001D0000-memory.dmp

    Filesize

    128KB

  • memory/1788-139-0x0000000140000000-0x0000000140835000-memory.dmp

    Filesize

    8.2MB

  • memory/1788-121-0x0000000140000000-0x0000000140835000-memory.dmp

    Filesize

    8.2MB

  • memory/1788-120-0x0000000140000000-0x0000000140835000-memory.dmp

    Filesize

    8.2MB

  • memory/1788-138-0x0000000140000000-0x0000000140835000-memory.dmp

    Filesize

    8.2MB

  • memory/1788-129-0x0000000140000000-0x0000000140835000-memory.dmp

    Filesize

    8.2MB

  • memory/1788-132-0x0000000140000000-0x0000000140835000-memory.dmp

    Filesize

    8.2MB

  • memory/1788-131-0x0000000140000000-0x0000000140835000-memory.dmp

    Filesize

    8.2MB

  • memory/1788-130-0x0000000140000000-0x0000000140835000-memory.dmp

    Filesize

    8.2MB

  • memory/1788-128-0x0000000140000000-0x0000000140835000-memory.dmp

    Filesize

    8.2MB

  • memory/1788-141-0x0000000140000000-0x0000000140835000-memory.dmp

    Filesize

    8.2MB

  • memory/1788-140-0x0000000140000000-0x0000000140835000-memory.dmp

    Filesize

    8.2MB

  • memory/1788-136-0x0000000140000000-0x0000000140835000-memory.dmp

    Filesize

    8.2MB

  • memory/1788-137-0x0000000140000000-0x0000000140835000-memory.dmp

    Filesize

    8.2MB

  • memory/2072-28-0x0000000000E30000-0x00000000014C8000-memory.dmp

    Filesize

    6.6MB

  • memory/2540-117-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2540-135-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2540-133-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB